Video identification and liveness checks in the financial sector

A secure and reliable identification of the customer is essential to create a business relationship in the financial sector and other sectors operating under a heightened risk of fraudulent activity; the digital age makes no exception to this rule. Digital applications must meet special standards when used by anti-money laundering obliged entities (obliged entities). Video identification (video ID) and liveness checks offer the technical reliability to ensure the anti-money laundering compliant identification of individuals. It is eventually in the industries self-interest to minimize risks and mitigate and correct potential security breaches or violations in relation to money laundering, terrorist financing, data security and identity theft.

What is video ID and which technical solutions are available?

Video ID providers act as the interface between new customers and businesses, and replace personal identification in the shop or branch office through a convenient online application. Several options are technically possible. Identification can be conducted by employees of the video ID provider either synchronous (through live video chat) or asynchronous (through a timely deferred recording). Artificial Intelligence (AI) that autonomously scans ID documents in real time and matches biometrical features is one more possibility. Through a so-called liveness check the AI can distinguish between real human features and copies such as photos or recorded videos. On the basis of facial recognition software the AI searches for unconscious movements as well as requesting specific actions of the person to be identified (e.g. blink the left eye twice).

General customer due diligence: identity check

The German Anti-Money Laundering Act (Geldwäschegesetz – GwG) regulates all cases in which banks, financial service providers or other obliged entities make use of video ID applications. General due diligence rules as laid-out in the GwG require obliged entities to identify the contracting party (e.g. through a valid government-issued ID or passport) prior to the establishment of any business relationship or the execution of certain types of transactions. The identification document must be “examined physically” or using “another procedure” offering an equivalent level of security. A procedure offering such a level of security is sanctioned by the German Federal Financial Supervisory Authority (BaFin) who generally permitted the use of video ID under the prerequisite that the application meets certain criteria.

Standards for video ID procedures

Specifically through its circular 3/2017 on video identification procedures BaFin substantiated its regulatory practice with regard to the admissibility of video ID applications used by obliged entities BaFin is delegated to supervise. BaFin states it will only accept video ID schemes that offer real time identification through a company employee without interruption (synchronous identification). Asynchronous methods or the use of AI will not (yet) be issued a license.

BaFin further sets the following standards a synchronous video ID application must meet to obtain a license which is generally available to all obliged entities under BaFin supervision governed by the GwG.

Human Standards

Video ID must be carried out by trained employees of the obliged entity. Alternatively, the obliged entity may outsource the customer identification to a third party provider e.g. a video ID provider such as IDnow or WebID whose employees must be equally trained. Employees must be familiarised with the general procedure, the features of the permitted documents as well as common counterfeiting possibilities of both. BaFin requires such training both before taking up the identification duties as well as at regular, at least yearly, intervals. Additional training is necessary upon the event of changing legal and/or supervisory and/or data protection requirements. During the identification process the employees must be situated in separate premises with restricted access and record explicit consent of the person to be identified.  

Technical Standards

Only real time video transmissions with end-to-end encryption that provide an adequate quality of both sound and image are permitted by BaFin. All identification documents with security features that are sufficiently forgery-proof, clearly identifiable and therefore verifiable using video transmission technology qualify for video ID. Depending on the document, optical security features include diffractive features (e.g. holograms), personalisation technology (e.g. tilted laser images), material (e.g. a security thread) and security printing (e.g. micro lettering). The identifying employee must check the identification document’s security features with a positive result in at least three randomly selected categories. A valid government issued ID card or passport should always pass this test. The employee must visually examine the document while the to be identified person tilts the document horizontally and vertically. Additionally, the interview structure must vary in terms of sequence and types of questions the employee asks.

Should, at any point in the interview, the technical standards fail to be met, the identification process must be aborted and can only be repeated as a whole.

Other Security Standards

A transaction number (TAN) must be generated for each individual video ID process and entered directly by the person who is to be identified. The employee sends the TAN by email or SMS to the person to be identified who returns the Tan through the interface. The video ID provider must preserve a record of the compliance with the human and technical standards, the customer’s consent as well as entire video ID process (visual and acoustic) for a possible internal or external review. This naturally includes data security and data protection requirements according the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

What’s next?

BaFin will review circular 3/2017 in 2020. The evaluation shall determine, in light of technological developments as well as the general experience with the procedure, whether video ID can continue to be generally in compliance with anti-money laundering requirements. BaFin will then decide on amendments to its regulatory practice, new or different requirements for existing procedures and on the possibility to admit additional video ID procedures such as asynchronous video ID or the use of AI.

The implementation of the fifth EU Anti-Money Laundering Directive (AMLD 5)  into German GwG could potentially affect video ID as well.

What other options are available?

A tangible identification by means of a recorded video or AI and liveness checks may for now fail to meet BaFin’s regulatory framework through the technology’s lack trained employees performing a real time assessment. The continuous development of the technology with regard to accuracy and security could potentially persuade BaFin as early as 2020 when the regular review of the circular is due.

Electronic Identification governed by the eIDAS-Regulation is, however, a reality. The method requires the scan of ID documents with a specially designated device and process and transmission by a trust service. Considering acquisition costs as well as the technologies operation at home or in the office prove to be by far more complicated than convenient video ID solutions using a smartphone or laptop camera. Electronic identification will most likely not replace video ID but coexist next to it.

Conclusion

Video ID offers new possibilities to conduct sensitive business online. Adding the comfort of avoiding a media break in the onboarding of new customers can bring significant economic advantages for obliged entities. The risk of losing a new customer on the way to a branch office for identification can be mitigated. To utilize the opportunities of digitalisation, the obliged entity must however follow the strict rules of the German regulator. The use of AI, but at least asynchronous identification, can already be a technically sound option. The settlement of this reality in regulatory practice is the next step. We are pioneers in new and disruptive technologies and advise on various video ID projects since 2014.

The authors thank Sascha Lucas for his support.